It relates in particular to a network including different types of subscriber terminals and switching modules, where subscriber lines connect each subscriber terminal with a switching module and transmission links connect each switching module to other switching modules in the network, and where the network further comprise cryptographic devices to undertake cryptographic transformation of the information transmitted through the network.
These paths are set up between network terminals which may be any kind of equipment, application, resource, manager, users etc., attached to the network in one way or another.
Data- and telecommunication networks are built up from communicating switching modules as, e.g., PABXs and PBXS. The switching modules manage communication paths through sets of communication channels. These communication channels are the physical information carriers. The information signal or the datastream carried by a channel is enciphered whenever security is required. Enciphered data on a channel requires that cryptographic devices which carry out the enciphering and deciphering process, be attached to the data stream connected to the channel.
Such cryptographic transformation of data- and telecommunication networks are earlier known when security is required, and different solutions have been proposed.
Among the most straight-forward solutions, a link-by-link cryptographic equipment should be mentioned first. Here each transmission link has a cryptographic device, including encryption and decryption devices at in each of its ends, which system only protects the transmission links themselves. As a second, rather straight-forward solution, there should be mentioned an end-to-end cryptographic equipment where each subscriber involved has a cryptographic device that can be inserted into the traffic channel after the call has been set up. In the latter case also the switches of the network will be included in the cryptographic traffic.
These solutions give, however, rather expensive and poorly flexible solutions as the cryptographic devices have to be constantly assigned to the links or to the subscribers involved.
From Japanese Patent Application No 85-121742 filed on Jun. 4, 1985, inventor Yasuhiro Watanabe (Early-disclosure No.: 86-278256), there is known a solution where each PABX is provided with special cipher trunks for ciphering and deciphering. The terminal units are connected with the public network through office trunks in the case of ordinary communication and through cipher trunks in the case of ciphered communication.
According to the above-cited Watanabe specification ciphered communication can be executed between optional terminal units without installing a ciphering circuit and a deciphering circuit for every terminal unit. The Japanese PABX have a number of office trunks which can be used for secured as well as non-secured transmission. Secure messages are routed through one of a number of cipher trunks before transmitting the data through the public network. A central processing unit of the PABX controls connection of terminal units intended for ciphered communication to the public network through the cipher trunks. In this layout the enciphering/deciphering equipment is part of the PABX.
In a presentation made by Swedish Telecom at ISS'90 and the associated paper "Information Protection in the Swedish ISDN" there is a description of an encryption device which can be dynamically allocated to a B-channel for cryptographic transformation. Several such devices are arranged in a pool through which the attached switching module can route B-channels to be encrypted or decrypted. One encryption device can only operate on one B-channel at a time. This is controlled and managed by the switching module. The pool is integrated with the switching module in a way that it is directly controlled by the central processing unit of the switching module. No control is carried out in the pool itself which only is a way of gathering encryption devices in a common resource pool.
The encryption system described in the Swedish paper has the following limitations:
the pool of encryption devices is integrated and directly controlled by the attached switching module. This means that great impact on the switching module is necessary. PA0 the pool is only used for encryption of public network subscriber lines and thus will have limited flexibility. PA0 the pool cannot provide for end-to-end encryption of B-channels through the public network. PA0 the supported subscriber lines are limited to the ISDN Basic Rate Access (2B+D) type of interface. The ISDN Primary Rate Access (30B+D) type of interface is not supported which makes the pool not able to support ISPABX subscriber attachments to the public network. PA0 the pool is accessed by an internal interface and controlled through specific signalling procedures of the switching module and not through a standardized interface. This makes the pool dependent on the manufacturer and also directly dependent on the attached switching module. PA0 1. no extra transmission links provided by the switching module for the attachment of the security guard, is required. PA0 2. the security guard is totally independent of using any resources, services or features of the attached switching module.